427 Botnet fm qxd



Download 6,98 Mb.
Pdf ko'rish
bet261/387
Sana03.12.2022
Hajmi6,98 Mb.
#878307
1   ...   257   258   259   260   261   262   263   264   ...   387
Bog'liq
Botnets - The killer web applications

www.syngress.com
Advanced Ourmon Techniques • Chapter 9
321
427_Botnet_09.qxd 1/8/07 4:45 PM Page 321

start of the IP header itself. IP headers are normally 20 bytes long. UDP
headers are 8 bytes long.The ASCII dump on the right-hand side shows that
the data contents were the ASCII numbers 0123456789. We can observe that
the strength of the outburst (1.5 million packets in 30 seconds), the remote
port (UDP/6667), the size of the packets themselves (small as possible), and of
course the lack of any significant data, as well as the UDP weight metric
itself, all strongly suggest that the data flow was useless and was crafted as a
DoS attack.
We know from our own forensic experience that attacks like this are
commonly aimed at Unix-based Web servers running Web scripts using a
program with unpatched bugs. An example of this sort of attack is the Perl-
based Santy worm (see www.norman.com/Virus/Virus_descriptions/
19122/en), which used Google to look for vulnerable sites to attack. Once a
system has been compromised with some malware like the Santy, a tool might
be downloaded that allows the attackers to start large UDP-based attacks at
remote sites and could very well include a botnet master connection as well.
We don’t have any specific knowledge about why UDP port 6667 might have
been chosen.Typically that port is associated with an IRC server, but tradi-
tionally IRC servers use TCP port 6667. Of course, we can say that sending a
high volume of useless UDP packets at a remote system is an antisocial act.
Now let’s look at another example. In this case we’ll examine the output
created by the 
drops
trigger during the DDoS attack described in Chapter 6.
Here we have three sample packets:
12:58:29.366866 IP 10.0.10.1.32560 > 192.168.4.4.22: S
549104161:549104161(0) win 32120 2097152000,nop,wscale 0>
12:58:29.366869 IP 10.0.10.2.17001 > 192.168.4.4.22: S
1301935973:1301935973(0) win 32120 2097152000,nop,wscale 0>
12:58:29.366872 IP 10.0.10.3.1878 > 192.168.4.4.22: S
3044014642:3044014642(0) win 32120 889192448,nop,wscale 0>
Here we are seeing external IPs targeting one interior network IP at port
22, which is typically used by the Secure Shell daemon (SSHD). All the
packets are TCP SYNs, which means that all the packets are as small as 

Download 6,98 Mb.

Do'stlaringiz bilan baham:
1   ...   257   258   259   260   261   262   263   264   ...   387



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish